Malicious Android Backdoor Lets Hackers Steal Your Phone’s Content

Somewhat unsurprisingly, the week we saw Google’s latest “bad app” report into the staggering volume of malware blocked from its Play Store, another warning about dangerous malware sourced from other places has also hit the headlines.

Dubbed Wpeeper, China’s XLab—which reported the “malicious” threat, warns it is “a typical backdoor Trojan for Android, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands.” A fairly nasty menu of what not to have on your phone.

But the “most notable feature of Wpeeper” is not its functionality but rather its network design, “which reflect the meticulous efforts of its creators.”

Wpeeper hides its C2 behind comprised WordPress sites, obfuscating the location and identity of its actual command and control structure, with “commands encrypted with AES and accompanied by an elliptic curve signature to prevent takeover.”

The researchers found 13 commands within Wpeeper, listed below:

Not only does all this indicate a frightening level of sophistication, but Wpeeper ceased its activities just days after discovery, either to hamper security efforts to track down its origins or to enable its current infected install base room to operate.

“Perhaps,” suggests XLab’s team, “the repackaged APKs served as downloaders for the Wpeeper backdoor, successfully evading antivirus detection. However, as long as there is network activity, there's a chance of detection.”

It’s with this in mind that the team says “it might be strategically better to voluntarily stop network services, allowing the APKs to maintain their ‘innocent’ status in the eyes of antivirus software, increase their installation numbers, and only then reveal Wpeeper’s true capabilities.”

Wpeeper highlights the risks in sourcing apps from third-party stores. The malware “originated from repackaged applications in the UPtodown Store, where attackers embedded a small code snippet into regular APKs to download and execute the malicious ELF.” Little code was added and so the infected files passed virus checks.”

While “UPtodown is a third-party app store similar to Google Play, with a vast global user base,” there’s not the same transparency, and so little is known on downloads and installs, albeit they number in the thousands at least.

Earlier this week, Google reported that “in 2023, we prevented 2.28 million policy-violating apps from being published on Google Play—in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes,” the company also “identified bad actors and fraud rings more effectively and banned 333K bad accounts from Play for violations like confirmed malware and repeated severe policy violations.”

Somewhere between more dangerous threats and better defenses, those numbers are way up on 2022, when Google “prevented 1.43 million policy-violating apps from being published on Google Play... and banned 173K bad accounts.” Those are increases of nearly 60% and more than 90% respectively.

But the official store is still your safest bet, as this latest unknown malware, its successful evasion of antivirus defenses and its limited tracing showcases.

Now the malware has been tagged, users with Google Play Protect will likely be protected. But to ensure you stay as safe as you can, here are the golden rules:

1. Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load; also ensure Google Play Protect is enabled on your device.
2. Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
3. Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
4. Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
5. Do not install apps that link to established apps like Chrome unless you know for a fact they’re legitimate—check reviews and online write-ups.